> https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nothing-new/
> 
> This is more hoping to start discussions and thinking more than
> believing this is the perfect solution (as it's a hack, though the
> more I've thought about it the happier I've become with the hack).

Just a random idea: turn the protocol upside down

When a client wants to refresh an RRset plus RRSIGs and finds that the
size exceeds some limit, the client adds to the request an EDNS(0) option
that contains the hash of the RRSIGs in some canonical way.
(We can also hash the RRset plus the RRSIGs if we want to support unsigned
zones as well).

When the server finds that the hash of the RRSIGs matches its current RRSIGs
for the RRset it replies with a NONEWDATA error.

The only thing left to decide is how TTLs should be handled, in particular if
the answer is not from an authoritative server.

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to